Terry Childs's Slow Road To Justice

snydeq writes "Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"

Sure they could have been readily used.

[mysidia]

'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. I

Don't use a non-specified IP address.

Or more specifically: graph a console cable, plug it into the device, and do what you need to do.

That an unskilled individual would not necessarily be able to easily use them does not mean Childs did anything wrong.

In fact, this is exactly how things should be -- in case the password is compromised, there should be additional layers of defense (IP access lists), to prevent convert abuse of accidentally leaked passwords.

No one password should ever give anyone free reign over a critical network, without at least also having physical access or passing through a designated management point.

Re:Both sides behaved terribly

[FooAtWFU]

It doesn't matter if his employers were competent or not; he should have let them have access to their own property.

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?

Re:Both sides behaved terribly

"People authorized by city policy or law to have those passwords most likely included any number of his bosses on up the chain of command"

You are guessing incorrectly, the actual county policy has been previously posted, and indeed, the mayor was the only person authorised. Whether that's an oversight or not, that was the policy.

"but let's not try to pretend that he didn't violate rules and/or laws."

He didn't. You are welcome to prove that he did, but so far you are only guess despite no evidence to support your case.

Re:Both sides behaved terribly

It doesn't matter if his employers were competent or not; he should have let them have access to their own property.

His employer was the city. His job was to keep the passwords safe from everyone except the Mayor. When the mayor finally asked for them, I understand he gave them to him. Was there something in there that I missed?

I'm pretty sure that's not in his job description. The Mayor is not the 'head of IT', and normally most mayors would NOT know the network passwords. Why would they?

It was in his contract.

Re:Both sides behaved terribly

[Lord+Kano]

I can't say that I have read his official job description but I'm pretty sure that "keep the passwords to yourself and the mayor of a major metropolitan city" wasn't it. It was probably "to keep the passwords safe from people not authorized to have them."

If I remember correctly, they tried to get the passwords out of him after he was released from the city's employment. If that's the case, his job description no longer factored in.

"You're fired. Give me the network passwords."
"Sorry, that is no longer my job."
"I'm calling the police."

LK

Re:Both sides behaved terribly

[sjames]

He did. There was a written policy from his employer that he was not to disclose those passwords under any circumstances and he followed that policy to the letter.

If that's not what was wanted, I guess it shouldn't have been the policy. Note that the incident where he was finally jailed was when he refused to disclose them on a conference call where he couldn't possibly know who might be listening.

Re:Overstepped bounds

[georgewilliamherbert]

Except that the policy of SanFran (quoted in a response to previous article on Slashdot, so I'm going to be lazy and let you do your own damn research for once) SPECIFICALLY required that he not reveal the passwords to anyone but the mayor, and certainly not to someone on an open fucking conference call to which anyone else, especially the "spy girl" who he had turned in when he caught her rummaging through shit after hours, might have been party.

He delivered the passwords, AS PER WRITTEN SANFRAN POLICY, to the Mayor in a face-to-face meeting. That is what was required of him by SanFran code. The people who tried to get him to break that policy are the idiots who should lose their jobs and be on trial.

This is rapidly becoming myth rather than fact-based.

The overall policy page is:
http://www.sfgov.org/site/coit_index.asp?id=56853

The security policy is specifically:
http://www.sfgov.org/site/coit_page.asp?id=79251

Which, basically, says "follow this inter-county planning document":
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf

The password policy in CCISDA states:

(pp 32 of the document)

4. Policy
4.1. General
All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a monthly basis.
All production system-level passwords must be part of the security administered global password management database.

(removed)

B. Password Protection Standards
Do not use the same password for County accounts as for other non-County access (e.g., personal Internet Service Provider (ISP) account, option trading, benefits, etc.). Where possible, don’t use the same password for various County access needs. For example, select one password for the network systems and a separate password for application systems. Also, select a separate password to be used for a NT account and an AS400 or UNIX account.
Do not share County passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential County information.
Here is a list of things to avoid:
Giving your password over the phone to ANYONE.
Sending a password in an e-mail message.
Telling your boss your password .
Talking about a password in front of others.
Hinting at the format of a password (e.g., “my family name”).
Writing in your password on questionnaires or security forms.
Sharing your password with family members.
Telling your co-workers your passwordwhile on vacation.
If someone demands a password, refer him or her to this document or have him or her call someone in Information Security.
Never use the “Remember Password” feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
If you must your passwords down, store them is a secure place and never anywhere in your office.
Passwords stored in a file on ANY computer system (including Palm Pilots or similar devices) can be compromised if encryption isn’t used to secure them.
Change passwords at least once every three months (except system-level passwords, which must be changed monthly). Changing them more often is better.
If you suspect that your account or password is compromised, report the incident per the Incident Response Policy and change all passwords.
Password strength checking may be performed on a periodic or random basis by departmental or county IT or its delegates. Any passwords found out during one of these scans will require the user to change it.

Though the "Do not tell anyone your password" sect